Sign In Sign Up
Product
Offer Management

Deliver the right offer, to the right customer, at the right time
Subscription Management

Track and manage subscriptions
to build stronger relationships
Recurring Billing

Flexible, automated billing logic
that scales with your growth
Analytics & Insights

Understand the health of your subscription business
Revenue Retention

Reduce customer churn caused by failed or delinquent payments
Security & Reliability

Enterprise-grade security to protect your business and customers
Payments

Choose from 20+ popular payment gateway options
Integrations

Connect Chargify with hundreds of third-party applications

Resources
Contact Us
Sign In Talk to Sales Try for Free

Secure and Reliable Billing Software

A winning combination of enterprise-grade security to protect your customers and proven reliability to keep your recurring billing running smoothly.

PCI DSS Level 1 Compliant

Chargify is annually audited to maintain the highest level of PCI compliance for a service handling sensitive payment data. With billing information flowing through Chargify, you can comply with industry-standard security practices without the time and resources required to maintain such standings. Our number one goal is to protect you and your customers.

Download Chargify’s compliance validation

SOC 1 Type I Report

Service Organization Controls (SOC) exist to validate a company’s controls and ensure industry standards are followed. Our SOC 1 report was prepared in accordance with the Statement on Standards for Attestation Engagements No. 16 (a.k.a SSAE 16) and documents operational policies and procedures for Chargify’s system of internal controls.

Two-Factor Authentication

As a security best practice, we require secure passwords for all Chargify users. As an additional layer of protection, we provide the ability to enable two-factor authentication. When enabled, internal team members must enter an authentication token from their mobile device prior to gaining access to the Chargify interface.

Fine-Grained User Access Controls

Your teams play important roles in running your subscription business, but not every team member needs full access to Chargify’s interface. Customer support needs to access and manage subscription information, finance needs to view and export financial metrics, etc. Our access controls allow you define what users can see and do within your Chargify account.

Reliability You Can Count On

Your browser does not support SVGs

Data Redundancy

Our software runs in three datacenters across the US. On a daily basis, we export the database and store it in an offsite facility for extra redundancy.

Your browser does not support SVGs

24/7 Monitoring

Extensive performance and availability monitoring allows us to keep a close eye on system health and mitigate unforeseen issues early on.

Your browser does not support SVGs

99.99% Uptime

Uptime is as mission critical to us as it is to your business. Our trailing three-year uptime record is 99.99%, and we’re fanatical about maintaining that record.View our uptime report.

Your browser does not support SVGs

Hacker Tested

We regularly submit ourselves to hacking by the best "good-guy" hackers in the business. This practice ensures we remain the most reliable, secure system in the industry.

PGP Key

By default, we provide a PGP key to encrypt sensitive communication that you send to us.

        
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFl6C58BEAC1N60XVMYqg9bxqSPrfvXCDzpbdGRRXGYalL854zTDDCeaYCY3
KXzzTKcNZUIg0MIEEpiEkLhIPvkwz1jIBZ35vSBMMyy/QSzJhq+OePK+XhgP/d/i
2+raev7p//TaKf2+oXPWAEmVuorUHy35Vd4fZnS1lY/kfs/VbOPc9bgeZiL7St0i
Uvk9YulpXBBZsJ0nTcYqPVxYb2ttPs8RxqUMpOVJYt2BE7EOXFdP1VF0gzDbwKGe
//PlvcbIkki/jrGF1/RpnbQLQ6zxA+y7MDpztMDQeJw/BXZ4+s9upOC31FBNhW3j
DVrlQrxCpci8DgcYtb2xZ+Yr/hUPzkMhCgng+31z3OL9iDtKunukJQvHzYf4JnMR
Bj7V+gyBux15H5H76Uu4fqyRw95A3HPrYHxU8IK4I4Ukk4iNr+YJbIrrcxh7tHPi
oyT2GoPAS0o6qbBuEnQsbRqRFidwQrJg4iqWzHwt7bM9elj0LpEPZCGYj4BTFNYU
+HkemXkm8KRDFNccod5VirlcUGwD2F/W6U6NrbcGnG/oItl5RWH+iogwD9AZ3P+/
d8lLoSyUBAmo0V2msfUXstiA7hI4IZlxhM+kRRamK1fy1aSHpkvBJtiuaZKZz6EH
7pHa3k7VJ0UNsewnxTW5qIHdAT6/JcybbUYVEJJvGhaPZ/mspwtbNOioXwARAQAB
tClDaGFyZ2lmeSBTZWN1cml0eSA8c2VjdXJpdHlAY2hhcmdpZnkuY29tPokCVAQT
AQgAPhYhBEGCwPct+BiaDkFZikiXP0U9vJgtBQJZegufAhsDBQkBzW0ABQsJCAcC
BhUICQoLAgQWAgMBAh4BAheAAAoJEEiXP0U9vJgtTYkP/38ryx2kV4C0wRpbL754
7LzcsRlLgQ4GIRNHzxbhs9lecUtO2EADaqjfmHOWDDIvlekze38l36BgqNVfbtDv
pW5uF05C5B7tqYoFDjVXZ0JC17pnYFhkUyiRlvhon/W5A/gj76Y/fhOecZRuUhXq
UEXlnAlzUZxq4b5cBTXv7qFm2GQtHdA8w6MOiIBL5+GgTE6cNjEVld1tWKyXyw4O
+WEeP6Oj+C+xwsybabMu5VzemmMZPPVKmMUjITv9i8ZIxY5RN0LrBsiTMRjBHJ4G
Ym0iCi1i5YuMxtq7lOp8NhXJzS7/GosAyuutjm8E5Sr30yBHE7Rcki9o85t9OnJL
kBkdtwuEtMAsJ89RKt+ipo8KogmjYRbkLvCfv1uQELVDREfIwshyeD6gf4le/hoj
wPO8xAx5jSz8oRa9HD28LarhaZ6bdS1gT2IWjYgYI58373ZCb2qvmWmhjDr902b6
Y4LMnVZGZGZnM1iQNd+nZL2+O7NR2lR2yx1r/0gLy7t1frFItAWXxbOCWeZBJtse
Fjt27cxsIibcOXo1DumMZvJN9RfRtx/U3AVSzV4I3dCBg4xkjflXfWb0hj93Gbsd
Qd0qG8b/VMyKFMFhVW1gaVa8e9X+l1eEdgrN/ko8x9Rk2SNcW8jWSkcvNdPblkWc
e4L8qPfUL1VXtu33TVnz4uWAuQINBFl6C58BEAC93W7piAGITZRgt9zmx4b3LKNT
8Knkk92HjkBd+N1Jb/mmKZIR4M3CIrLz6Xa7XYzsgYRkpSnbZfGa4YirGk9ZiH/X
fH4nx/DsYxQfGdyImGWeTUOlW61gbhjz4hGeW45jPSD2D9ygMuLfKY7LjqcLfcSU
R7CBiNZq/JehBTaSe+0tos2+MurUKuBmpWr3Hdk2IG1kgpHQwF6RGBdILAA6ttC/
m7kHLwjg7wGbjvftNs05vmm2MD+LwNPO8gLc64vABhdvFDIc9/WmPdVenxMv4C31
NyEcZfEJie+K3BgUm3h8qgZZ0DuWYZAg/awI3OcuN6FVavpQEm+Ke/rXPSCleHDi
rqQt1xclclzsvzJzOxJeit6sT1qtMpYyF9ljfuds62exyb5+CYNVQ2WK3f4HvR77
9VvzXHpY9tpXWegyAIMYkQ80EIsSkSQJMLKRGefNpMDonoF2SwAZdnRaI+7/g3Kl
U0Tpk8+BvnryloLYyWXR8EOHi8me3Ug8cROQrogp/sNP0v/6ZqxYWdrUUaRIfR1+
epI6kxZMq2dlVk9YdPOFiYHX5x18NNn1BbMy0j8XTzgJOjVsoZPn22r20glWZcNw
dgZvqgD8OqmYKuTeDRUCDcFq8fTtFrcMA6z+ydhPRIJSAgZxBsaH1FKVACizuvMv
EXQ90tEkzmNlpA786QARAQABiQI8BBgBCAAmFiEEQYLA9y34GJoOQVmKSJc/RT28
mC0FAll6C58CGwwFCQHNbQAACgkQSJc/RT28mC0/rw/8Ch7PNU/QgsxJ3zJkSWyj
2HZWJ70E3u/Ul1bS55KDWam5JrlAvGCcKuUb/XtIyjWDze0Z1yNVs5kI2kfMnr/i
ePNB9DnLpkmU1yReV9iFWKHuQ3ZiYQ40escNfgiqj+whEJNhLeCKtS0fF0Y30JvS
mQ2GYN5n8LurmfTNs9xjHnT/xl1qekXhK3mEbxsUI5nzIZ2I8ROEReACBvFC0cAQ
I3KOa1Qk5U6zy1/wjrRgOSLmIXfGk27c75z2YRCD3//H4M1AyZ1TKYWQ5D0arGpF
xyiKKtofiGgrTZm2fDOs3RL/38IKYjvGIPol4Nm70oxpg0R5ENnTz2iPFWpDK06h
rjQ2lKUpida43EGLV2jpOnRX0kYEJYfbebqf25lHDpfDae6zEt2ppLS/jDNW6BxA
7B9/NyMT0iBx8apu3dWuwOnwruZ3X8SgXcsHzBG52SsXoUBaMr8X0Mpe8+QFo5ms
4HstE2FgEcDeTUxfm7NFmu5CrJV40Zhpt684lCjB6J43e+rPBsOUifRlLzdU/KOm
3olEddNEHe6r06/YXythS6gNN1E9OtTPHy6/iqFesv/rYZjOVpM/Pzdl1OMxL4cI
A+Yf1s/08gLlqgFY3dSDpZ3NGS1LM2ZTOPNsN1sz/AQ+1oPLMHemqMA2tEfjt6Q+
fjiLPM7p53YyuQ04M7jNfaQ=
=Wuxh
-----END PGP PUBLIC KEY BLOCK-----
Key ID:
3DBC982D
Key type:
RSA
Key size:
4096
User ID:
Chargify Security (security@chargify.com)
Fingerprint:
4182 C0F7 2DF8 189A 0E41 598A 4897 3F45 3DBC 982D
Expires:
2018-07-12

Help Us Keep Chargify Secure

We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.

If you believe you have discovered a potential flaw in any area of Chargify's security measures, we ask that you please share the information with us first and retain secrecy of your findings until we have remediated the issue.

If you have identified a vulnerability, report it via email to security@chargify.com

We ask that you follow these rules for any responsible use of our system:

  • You may create a test account with the following limits: TWO accounts each with no more than TWO sites and TWO users.
  • Not in scope: Any ancillary sites not directly hosted by Chargify (such as reference.chargify.com, status.chargify.com, help.chargify.com. Zendesk, Tumblr, etc)
  • All data object creation is limited to a maximum of 50 objects per type
  • No automated off-the-shelf scanners (like Acunetix or the Burp Suite Scanner). We’ve had these run hundreds of times already
  • Scripted / API tests must be rate limited to 1 request per second
  • Absolutely NO attacks or exploits against accounts not created by you. You may only attempt cross-account access between two accounts controlled by YOU
  • No DOS/DDOS tests
  • Absolutely no physical testing such as office access (e.g. open doors, tailgaiting).
  • Absolutely no social engineering (e.g. phishing, vishing).

We ask that you please do not submit low value issues when there are only loose connections to known best practices, unless you can demonstrate a chained attack with higher impact. Google maintains an exhaustive list with explanations. This also includes things like:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure and HTTPOnly cookie flags.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Username enumeration via Login Page error message
  • Username enumeration via Forgot Password error message
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS / TRACE HTTP method enabled
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • SSL Forward secrecy not enabled
  • SSL Insecure cipher suites
  • The Anti-MIME-Sniffing header X-Content-Type-Options
  • Missing HTTP security headers

Ready for Elastic Billing ?
Let's get started.

Talk to a Billing Expert Try for Free
© 2018 Chargify® LLC. All rights reserved.